Share This Page

Data security is a process that evolves over time as new threats emerge and new countermeasures are developed. The FTC’s longstanding advice to companies has been to conduct risk assessments, taking into account factors such as the sensitivity of information they collect and the availability of low-cost measures to mitigate risks. The FTC has also advised companies to keep abreast of security research and advice affecting their sector, as that advice may change. What was reasonable in 2006 may not be reasonable in 2016. This blog post provides a case study of why keeping up with security advice is important. It explores some age-old security advice that research suggests may not be providing as much protection as people previously thought.

When people hear that I conduct research on making passwords more usable and secure, everyone has a story to tell and questions to ask. People complain about having so many passwords to remember and having to change them all so frequently. Often, they tell me their passwords (please, don’t!) and ask me how strong they are. But my favorite question about passwords is: “How often should people change their passwords?” My answer usually surprises the audience: “Not as often as you might think.”

I go on to explain that there is a lot of evidence to suggest that users who are required to change their passwords frequently select weaker passwords to begin with, and then change them in predictable ways that attackers can guess easily. Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases. (And even if a password has been compromised, changing the password may be ineffective, especially if other steps aren’t taken to correct security problems.)

Mandated password changes are a long-standing security practice designed to periodically lock out unauthorized users who have learned users’ passwords. While some experts began questioning this practice at least a decade ago, it was only in the past few years that published research provided evidence that this practice may be less beneficial than previously thought, and sometimes even counterproductive. Let’s take a look at two excellent peer-reviewed papers that address this issue.

What actually happens when users are required to change their passwords?

The UNC researchers obtained the passwords to over 10,000 defunct accounts belonging to former university students, faculty, and staff. Users were required to change the password for these accounts every 3 months. For each account, the researchers were given a sequence of 4 to 15 of the user’s previous passwords – their total data set contained 51,141 passwords. The passwords themselves were scrambled using a mathematical function called a “hash.” In most password systems, passwords are stored in hashed form to protect them against attackers. When a user types in a password, the system runs it through the same mathematical function to produce a hashed version of the password they just typed. If it matches the hashed password that was previously stored for the user, then the user is able to log in.

The UNC researchers used password cracking tools to attempt to crack as many hashed passwords as they could in an “offline” attack. Offline attackers are not limited to a small number of guesses before being locked out. Attackers first gain access to a system and steal the hashed password file. They take that file to another computer and make as many guesses as they can. Rather than guessing every possible password in alphabetical order, cracking tools use sophisticated approaches to guess the highest probability passwords first, then hash each guess and check to see whether it matches one of the hashed passwords. The UNC researchers’ password cracking system ran for several months and eventually cracked about 60% of the passwords. For 7,752 accounts, the researchers were able to crack at least one password that was not the last password the user created for that account. The researchers used the passwords for this set of accounts to conduct the rest of their study.

The researchers then developed password cracking approaches that formulated guesses based on the previous password selected by a user. They observed that users tended to create passwords that followed predictable patterns, called “transformations,” such as incrementing a number, changing a letter to similar-looking symbol (for example changing an S to a $), adding or deleting a special character (for example, going from three exclamation points at the end of a password to two), or switching the order of digits or special characters (for example moving the numbers to the beginning instead of the end). While not mentioned in this paper, I have heard from many users that they include the month (and sometimes year) of the password change in their passwords as an easy way to remember frequently changed passwords.

The researchers performed an experiment in which they used a subset of the passwords to train their cracking algorithm to apply the most likely transformations and then use it to crack the remaining passwords. The paper includes a lot of technical detail about what they did, but the bottom line results are striking. The UNC researchers found that for 17% of the accounts they studied, knowing a user’s previous password allowed them to guess their next password in fewer than 5 guesses. An attacker who knows the previous password and has access to the hashed password file (generally because they stole it) and can carry out an offline attack can guess the current password for 41% of accounts within 3 seconds per account (on a typical 2009 research computer). These results suggest that after a mandated password change, attackers who have previously learned a user’s password may be able to guess the user’s new password fairly easily.

The researchers also found that users who started with the weakest passwords were most susceptible to having their subsequent passwords guessed by applying transformations. In addition, they found that if they could crack a password using certain kinds of transformations once, they had a high probability of being able to crack additional passwords from the same account using a similar transformation. That is, once an attacker discovers that a user is applying a transformation to change their password, that attacker has a good chance of being able to crack the user’s password every time they change it.

The Carleton researchers assume that an attacker will systematically attempt to guess every possible password until they guess the user’s password. Depending on the system policies and the attacker’s situation, this may happen quickly or very slowly. Attackers who know that users must create new passwords periodically will start the process over again if they don’t guess a user’s password after exhausting all guesses. Today, attackers who have access to the hashed password file can perform offline attacks and guess large numbers of passwords. The Carleton researchers demonstrate mathematically that frequent password changes only hamper such attackers a little bit, probably not enough to offset the inconvenience to users. (On the other hand, without inconveniencing users, system administrators can use slow hash functions, e.g. bcrypt, to make it significantly harder for attackers to guess large numbers of passwords.)

The Carleton researchers also point out that an attacker who already knows a user’s password is unlikely to be thwarted by a password change. As the UNC researchers demonstrated, once an attacker knows a password, they are often able to guess the user’s next password fairly easily. In addition, an attacker who has gained access to a user’s account once may be able to install a key logger or other malware that will allow them to continue to access the system, even if the user changes their password.

There is also evidence from interview and survey studies to suggest that users who know they will have to change their password do not choose strong passwords to begin with and are more likely to write their passwords down. In a study I worked on with colleagues and students at Carnegie Mellon University, we found that CMU students, faculty and staff who reported annoyance with the CMU password policy ended up choosing weaker passwords than those who did not report annoyance. I can relate to this: I am not inclined to put in much effort to come up with a strong password when I am suddenly prompted to change my password while trying to log in so I can get my work done. While we don’t yet have a controlled study demonstrating the impact of password expiration policies on user behavior, there is quite a bit of evidence to suggest that these policies may be counterproductive.

When should passwords be changed?

So, should you ever change your password? Well, sometimes. If you have reason to believe your password has been stolen, you should change it, and make sure you change it on all of your accounts where you use the same or a similar password. If you shared your password with a friend, change it. If you saw someone looking over your shoulder as you were typing your password, change it. If you think you might have just given your password to a phishing website, change it. If your current password is weak, change it. If it will make you feel better or if you just feel like it’s time for a change, then by all means go ahead and change your password.

Regardless of why you are changing your password, choose a new password unrelated to the old one and don’t reuse a password from another account. Under some circumstances there may be other steps you should take as well to make sure your system or account has not been compromised in a way that will render your password change ineffective.

Should organizations mandate regular password changes? The National Institute of Standards and Technology (NIST) explained in a 2009 publication on enterprise password management that while password expiration mechanisms are “beneficial for reducing the impact of some password compromises,” they are “ineffective for others” and “often a source of frustration to users.” They went on to encourage organizations to balance security and usability needs, outlining some factors to consider. NIST emphasized that other aspects of password policies may have greater benefits than mandatory expiration, including requirements for password length and complexity, as well as use of slow hash functions with well-chosen “salt” (a technique to make sure that if two users have the same password they won’t look the same when hashed).

So, depending on your particular situation, there may be some good reasons to require your users to change their passwords. However, it is important to assess the risks and benefits for your organization, as well as alternative ways of increasing security. Research suggests frequent mandatory expiration inconveniences and annoys users without as much security benefit as previously thought, and may even cause some users to behave less securely. Encouraging users to make the effort to create a strong password that they will be able to use for a long time may be a better approach for many organizations, especially when combined with slow hash functions, well-chosen salt, limiting login attempts, and password length and complexity requirements. And the best choice – particularly if your enterprise maintains sensitive data – may be to implement multi-factor authentication.

Organizations should weigh the costs and benefits of mandatory password expiration and consider making other changes to their password policies rather than forcing all users to keep changing their passwords.

The author’s views are his or her own, and do not necessarily represent the views of the Commission or any Commissioner.

Comments

This has been a longstanding position of mine, and is clearly supported by empirical evidence. Pleased to see that you along with others in the industry are starting to speak up about this archaic, outdated advice.

The blog post points to some research papers that investigate password length and complexity issues. You can generally achieve pretty good security and reasonable usability with a password that is about 12 characters long and has 3 different "character classes" (uppercase, lowercase, digit, symbol). It is best for non-lowercase letters to be placed somewhere other than the beginning and end of the password.

The only reason you would need a complex password is to stop Brute force attacks. Now that the IT software companies have patched the systems to no long work in that way, the only thing greater then 8 character passwords does is ensures that more users will be writing down their passwords. The systems need to be redesigned at the system level to only access sensitive information as late in the process as possible.

Password managers and 2FA really are the right direction here and to take it a step further and consider the removal of a password manager dependency, we should be promoting not a string of random characters and symbols but rather the adoption of password phrases which leads to organically longer password. While brute forcing phrases certainly is a consideration, this would overall increase the complexity of the attacks required and be a solution we can enact immediately through education.

Longer passwords ensure strengthened security and are a necessity at this juncture.

"There is also evidence... that users who know they will have to change their password do not choose strong passwords to begin with and are more likely to write their passwords down"

Weak passwords and the writing down of passwords are two different things. The researchers 'stole' the password file remotely, they did not physically enter and take the contents of a users desk, wallet, home, etc.

This relationship should be looked at the other way around: The SCARE WARNING issued for decades to never write down passwords is what results in weak passwords. Users should be encouraged to create strong passwords, AND to record them somewhere for reference. Remove the anxiety users have around holding all this stuff in their heads, and you'll get strong passwords.

I agree that writing down passwords is not necessarily a bad thing, especially if they are written down and stored in a secure place. I would rather have users choose strong passwords and write them down than choose weak passwords or use the same password everywhere because they are afraid to write their passwords down. But please don't leave your password on a sticky note on your computer or under your keyboard!

Agree. You change passwords for 2 primary reasons. 1 - to mitigate against brute force attacks. Passwords should be implemented with other controls like # unsuccessful attempts before lockout, etc. 2 - in case someone already has your password. This is kind of valid apart from the fact the if a badguy has your password they have everything already and have likely implemented backdoors to regain access after you change your password.

Best advice - use strong passwords in combination with 2-factor if possible... don't be so quick to change that password which just results in weak passwords and bad practices.

I've been saying this to banking regulators and IT auditors for years. Common sense tells you that having one really strong password makes infinitely more sense than frequent changes. When you force people to make frequent changes they write them down, divert IT resources by locking themselves out, use less complex PWs etc.

The point here is that password security is not time-dependent. A five-year-old password is not demonstrably less secure than a five-minute-old one. Changing the locks on your house doesn't make it more secure from break-ins.

If in that 5 yr time your Linkedin or Adobe credentials were leaked on the blackweb, and you have a habit of using the same password across sites then yes it is less secure. That is the biggest reason for expiring passwords in my opinion.

If you create a strong password to start with, it won't be leaked on the darkweb. Those passwords are usually cracked from a hash list on a compromised system. The crackers are not going to spend much time trying to crack a password that would take trillion of centuries of computer time to crack. They take the easy ones and move on.

I'm really puzzled by this advice. If users choose weak password, implement controls which enforce strong passwords. Where possible, use multi factor authentication, for example by adding an OTP, which renders a leaked password useless.

Advicing users *not* to change passwords regularly is a poor advice, and does not add to security. Also, when giving such advice, do you assume that accounts are by definition not compromised at this point in time ?

Last but not least, many account compromises are a result of keyloggers - in this case it doesn't matter whether a password is considered either ''weak'' or ''strong''.

If an account is compromised due to keylogger, changing your password doesn't help unless you first make sure the keylogger is completely removed. After removing the keylogger, then the password should definitely be changed.

Actually most password compromises are from getting password files and cracking them. Enforcing strong passwords that are frequently changed is just asking for users to write passwords down as insecurely as possible.

Don't think making it difficult for users to be secure is the same as being secure.

Niels, did you read the article? You say, "Advicing users *not* to change passwords regularly is a poor advice..." but the whole point of the article is that it IS poor advice, and gives studies and examples to show why. Everything this lady says is right on the money. As an IT and security professional, I would never foist a rotating password policy on my users- I've seen how ugly and counterproductive it is, time and time again. If I really really really want security- and I do- I go with two factor authentication. Now I'm sleeping easy (somewhat, anyhow...).

If you make security difficult for users, you simply drive a wedge between yourself and them. They do what they need to to get their job done. A security policy based on wishful thinking and old wives' tales does not help, and users will then route around you. You need to help them AND increase your security, which can be done. I love 2 factor authentication, and work to help my users keep our infrastructure secure.

At no time does this article advise users not to change their passwords. It advises not forcing them to. Any time you have reason to believe your password (or a similar one) has been compromised you should change it. In other words, change the password when there is a reason to, not on an arbitrary schedule. I will also point out that the conclusions in this article are based on research. We can talk about how we think people will behave or we can observe how they actually behave. I think the latter approach is more useful.

I'm going to chime in here and mention that if you "have any reason to believe your password (or a similar one) has been compromised", its already too late. There is no telling how long ago it was compromised, how much they have accessed, or what they may have done under your identity. In my professional opinion, the "reason to" is preventative rather than reactive.

To me, it's not really about when you change your password. It's more about how savvy your hacker is. I could change my password every day, but if the hacker is able to hack it one time and smart enough to go in to my account, get what he needs and then out, changing my password frequently really didn't do me any good. It's time to move on to other options - biometrics, FOBs, etc, that would make it a little more challenging.

"if it ain't broke, don't fix it". if you have a password that hasn't been broken why would you change it? The only scenario where changing a password makes sense is if there is a brute force attack that takes a long time to go through every possible combination and you are hoping you will be changing it at a point where the new password is one that was already tried. That is pretty nonsensical.

Another aspect to consider is the scope and demographics of the user base. If the user base is primarily security experts and IT admins, go ahead and jack the password requirements all the way to 11 because those people will appreciate your strong stance and will likely use a random password generator anyway. But if the bulk of your users are only moderately skilled at general computing, you will be better served by carefully considering the user interface and user experience of password selection.

For example, the old skool method of rendering a cryptic error message that says something like "passwords must be at least 8 characters in length, contain at least one alpha-numeric digit, and at least one special character (!,@,#,$,%,^,&,*), and cannot contain underscores" is going to piss off your users. Instead of that, go to great UX and UI lengths to introduce a visual indicator of password strength that responds in real-time as they enter the password. This approach enlists the user in your army of security best practices, and they wind up happily joining the cause, rather than fighting it every step of the way and trying to "beat the system".

Furthermore, consider the demographics of your users because it will help you select good parameters for all other aspects of security. As we know, security is strongest when thought of like an onion - multi-layered. So consider the demographics of your end users so that you are enlisting their help in the cause at every step. They will love you and your system for it, and not try to circumvent it at every step!

Incidentally, I find it interesting that this comment module tells me to enter a username and then adds, "Don't use your email address". It's just interesting! Not sure why, though. Any comments on that?

You raise a good question in your last paragraph. These comments are posted publicly and whatever you enter as your username is posted too. If you use your email address as your username you will probably get email not only from people who read your comment, but also from spammers

I also find the industries ridiculous insistence on constant password changes annoying in the extreme! Especially for emails and such. Seriously if a person puts important personal information in their email they are basically asking for trouble. Hence hotmail's insistence on constant password changes is infuriating. My bank on the other hand hasn't bothered me for several years about changing my password and I am thankful for that. Personally I believe we are all responsible for our own personal information and we should be allowed to protect it as we see fit. I have several very effective passwords that I use for financial and other very important accounts that are fairly complex and I get angry when I am forced to dump good passwords for lesser passwords. I just start to run out of imagination. Last-- I REALLY RESENT BEING FORCED TO HAVE SO MANY PASSWORDS I HAVE TO KEEP A LEDGER JUST TO KEEP TRACK!!! And really the vendors we choose to do business with should have the responsibility for keeping our information safe if we are doing business with them!!! The responsibility for security should fall on them--not the consumer...

Yes, what they don't get is having 45 different accounts. if they all force to change password at different time. Can you imagine what a nightmare it is to change all 45 and to remember 45 different password. I guess online become useless we going to go back to paper billing.

Thank you, thank you, thank you! Your post supports my effort to change password requirements used in companies in countries like Denmark, Sweden, Norway. Any ideas, what I can do to influence the requirements of future versions of PCI, HIPAA, SOX?

I definitely think that keeping the same password for a long period of time is problematic, especially if this password is used for a variety of different log ins. I couldn't agree with this article more in the sense that password changes should be mandatory in businesses. Many people forget or put off changing their password due to viewing it as lacking importance. Another useful article I read is: http://www.lucidica.com/blog/how-to-guides/top-tips-for-choosing-a-secure-password-that-you-wont-forget/. It details inside that when you decide/have to change your password what the best and most efficient way to do it is.

This was actually demonstrated by a former classmate of mine, criminologist Steven P Lab, about 20 years ago. He also established that lighting parking lots in shopping centers made them less safe because it provided shadows in which criminals could hide while illuminating potential victims.

I read with interest the article. I've been using a password manager for several years. Typical passwords look like 1@EcS9%oWpg1I. (generated for the posting) However one thing not addressed, the security questions. Using a password manager provides the opportunity to manage security questions:
What is the name of your high school? bzokudl
What was your first car? bawyzvy
Who is your favorite actor? awmwnxg
The password generator was reconfigured to generate the answers that are kept in the password manager too. Since the system is looking for a match, why provide an answer that may be found on the internet or be known by someone close to you.

What is wrong with using a really long password, like: onceilivedinaGreekrestaurant -- not one I've actually used. Running the characters together avoids the need to pound the spacebar. When hashed and salted, thirty characters or so should be hard to decipher but easy to remember. If asked to change, I can become Japanese, French, Italian, etc. Or I worked, slept, cleaned, pick your favorite verb. (2x26)exp30 is about 3x10exp51 -- keep you busy for a while.

Maybe you can influence the mymedicare.gov web site to stop requiring new passwords every 60 days. Most users visit the site less often than that, so every visit means a new password. It inconveniences millions of elderly people, forcing many who have bad password practices into even worse practices.

And while you're at it, maybe you can persuade mymedicare.gov to allow people - at their own option - to use second factors like RFC 6238 time-based one-time passwords (e.g. Google Authenticator) or FIDO U2F hardware keys.

If you can find a way, could someone please send this article to Medicare? They require a password change every 60 days even though I would argue most users don't have a need to log in that often. This results in a password change on every log in.

Social security website does the same thing, but at 180 days. I visit their website once a year so I can update what my retirement income will be. And evry time I have to go through a re-authenticating process. Didn't figure out why until this year. Now I have a note on my calendar to login, just so I can change my password before it expires. It is lunacy.

From the replies I see here, many specific points in the article did not make to the readers - at least the readers that are replying. Asking people to change the password is not a bad thing if done properly and it is beneficial. The article is not against that but rather against high-frequency, mandatory changes, the false sense of security when you force users to change it often and so on.

Also, MFA is not a replacement for strong passwords, as many seem to consider, but another, very useful layer of security, in addition to strong passwords changed rarely.

We've already seen that MFA with SMS is not that secure; at some point in time apps like Google Authenticator could be shown to have some weaknesses too, so relying on MFA and allowing the users to have any weak password for years is not the answer. Another point is that nobody seem to address the fact that most users are re-using the same passwords in different places - this is another scenario in which asking the user to change the passwords would be beneficial if in the same time you educate them properly....

Pages

Add new comment

Privacy Act Statement

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system (PDF), and user names also are part of the FTC’s computer user records system (PDF). We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.